Problem in managing Federated Identity

[yookoala]

By @ncoghlan in #6:

I came here to file an issue about handling the federated identity management problem (and noting how difficult that is without authenticated access to email addresses as a federated identifier), but given @cjslep's response above, I think this issue can serve that purpose :)

The first paragraph in the "How it works" section of https://docs.gitlab.com/ee/user/project/import/github.html gives the gist of the problem: in order for repos to map identities correctly, users currently either have to make their email addresses on each service public, or else authenticate with the importing service before the import happens.

Neither GitLab nor anyone else currently models the notion of an "unclaimed pseudonym" to track activity where a user ID on a remote service is known, but that remote identity isn't yet mapped to a local identity in a way that verifies that the same human is plausibly in control of both accounts.

[yookoala]

From @yookoala in #5:

A quick note on point 1 in "What": SNS like Mastodon federates their identity by including the server domain to it (i.e. "yookoala@github.com" for my account here). The same username in different server is considered different users and thus no need to reserve username across federation.

[techknowlogick]

I believe Mastodon (and related) use the WebFinger standard for discovering information about people/entities.

[yookoala]

@techknowlogick: You're correct. Those identity stays on the original server while remote servers would cache it. The cached account would still attached the original domain name as part of the identity.

[ppwfx]

curl -L -H Accept:application/activity+json https://mastodon.social/users/kiriska| jq .

that's how mastodon provides the identity

related issue mastodon/mastodon#4906

[yookoala]

@21stio: That is not the only identity query service in Mastodon. Mastodon also support WebFinger. In fact, if you want to federate with Mastodon, you must implement the WebFinger endpoint for account query. Or else Mastodon wouldn't be able to follow your account.

For example, for my mastodon.social account:

curl -L http://mastodon.social/.well-known/webfinger?resource=acct:yookoala@mastodon.social

WebFinger is not part of the AP specification, anyway. Not say we must do so.

[ppwfx]

interesting, cheers

[bill-auger]

the mailing list is now fully functional - a thread has been started on the mailing list to continue the discussion in this issue - for those who are subscribed to the mailing list, check your email for the thread titled "identity/auth management"; and reply to it to continue the discussion begun on this issue

[poVoq]

Please have a look at the ZOT protocoll used by Hubzilla: https://project.hubzilla.org/help/en/developer/zot_protocol#What_is_Zot_